|
CASE-BRIEF-2020-001
VIVINT SECURITY SYSTEM CONTROL PANEL ANALYSIS
|
|
Vivint is a manufacturer of smart home devices that include security cameras, door locks, and many kinds of sensors. The main control panel of a Vivint home security system was submitted to DC3/CFL as part of an investigation where it was believed a person used the system to surreptitiously observe his 15-year old stepdaughter via a Wi-Fi enabled camera in her bedroom. The main home security panel was capable of holding a (missing) 2.5” hard drive for storing recordings from the security cameras connected to the system. |
|
The challenge was to determine whether there was data on the Vivint’s internal memory chip showing videos or images had been stored to the missing 2.5” drive. The investigative effort was to use this data to support or invalidate the suspect’s assertion that the video camera was turned off and not recording during the time in question. |
|
The Vivint’s main control panel held an 8GB eMMC flash memory chip on its internal printed circuit board (PCB). Without the missing 2.5” internal hard drive and the Vivint cloud inaccessible; the eMMC was the only potential evidentiary data source for the Vivint system. |
|
DC3 forensic examiners performed data extraction using forensic ‘chip-off’ methods to first remove the eMMC from the PCB. A forensic image was acquired using a hardware test socket adapter connected via a USB write blocker enabling a forensic examination of the Linux-based file system using common tools. Specialized software applications were used to examine specific file types including log files, SQLite databases, and video recording data containing beginning and end frame times. |
|
|
The examination of the forensic image revealed a 4.1GB partition identified as ‘Partition 6’ containing databases, logs and a file titled “clips.img”. This “clips.img” file contains image thumbnails of recordings initiated from motion alerts from the connected security cameras including the video file clip of the motion alert recording. The filenames of videos stored on the eMMC are uniquely identified as follows: the first set of data is the date/time stamp, followed by the hardware identifier of the recording/sensor device, and then an alert ID for the motion alert. An examination of these files showed the camera(s) had been active during the time frame in question.
Another file obtained from the eMMC forensic image was the database “Root/db/sundance.db”. This file contained the account holder’s name and address as well as the geospatial coordinates for the Vivint system. This database also contained data for the devices and sensors connected to the security system including the hardware identifiers for the cameras connected to the system and the custom names given to them by the user.
The “Root/db/sundance.db” also contains camera settings data showing the configuration options for each camera such as microphone settings and video quality settings. An examination of this file showed the camera in the victim’s room was the only camera connected to the system with the video quality set to maximum.
The examination also revealed a file named “Root/log/cameras.log” containing warnings, errors and connection information from the cameras connected to the system. An examination of this file showed many log entries related to the camera in the victim’s room, including error messages showing the camera was inaccessible during these events. This information supported the victim’s claim she regularly unplugged the camera in her room only to later find it plugged in again.
|
|
The forensic examination of this particular Vivint system demonstrates that information of potential investigative and evidentiary value can be recovered from such systems even when the internal storage media has been damaged or removed. |
|
The Vivint control panel also contained information about activities around the house, including doors being locked and unlocked. Given the variety of sensors (e.g., motion, open/close, glass breakage, smoke, carbon monoxide), forensic examination could provide valuable insights into activities related to any investigation involving a property equipped with a smart home security system. In some cases more information about past activities might be obtained from cloud servers specific to the account configured in the smart home security system. |
|
Contributors Acknowledgements
Case Briefs cover aspects of a specific investigation to inform members of the D/MM Forensic community (e.g., first responders, investigators, forensic examiners, analysts, developers, researchers, attorneys, judges) about emerging opportunities and challenges. This body of work was derived from subject matter research and in support of an actual DC3/CFL examination.
- Kevin Westerman (DC3/CFL Forensic Examiner)
- DC3 Editorial Board (Curation, Review, & Publication)
For additional information and specific requests please reach out to DC3 at hub@dc3.mil.
|
|
|
|
